aes: xts: Enforce NIST SP 800-38E data unit size
NIST SP 800-38E requites the data unit size be limited to at most 2^20 AES
blocks in size. Enforce this restriction.
diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h
index 67cab25..60b9857 100644
--- a/include/mbedtls/aes.h
+++ b/include/mbedtls/aes.h
@@ -292,10 +292,16 @@
  *             defined by a data unit number. The data unit number must be
  *             provided by \p iv.
  *
+ *             NIST SP 800-38E limits the maximum size of a data unit to 2^20
+ *             AES blocks. If the data unit is larger than this, this function
+ *             returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH.
+ *
  * \param ctx          The AES XTS context to use for AES XTS operations.
  * \param mode         The AES operation: #MBEDTLS_AES_ENCRYPT or
  *                     #MBEDTLS_AES_DECRYPT.
- * \param length       The length of a data unit in bytes.
+ * \param length       The length of a data unit in bytes. This can be any
+ *                     length between 16 bytes and 2^24 bytes inclusive
+ *                     (between 1 and 2^20 block cipher blocks).
  * \param iv           The address of the data unit encoded as an array of 16
  *                     bytes in little-endian format. For disk encryption, this
  *                     is typically the index of the block device sector that
@@ -309,7 +315,8 @@
  *
  * \return             \c 0 on success.
  * \return             #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if \p length is
- *                     smaller than an AES block in size (16 bytes).
+ *                     smaller than an AES block in size (16 bytes) or if \p
+ *                     length is larger than 2^20 blocks (16 MiB).
  */
 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
                            int mode,
diff --git a/library/aes.c b/library/aes.c
index 2dc600c..2b64387 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -1158,6 +1158,9 @@
     if( length < 16 )
         return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
 
+    /* NIST SP 80-38E disallows data units larger than 2**20 blocks. */
+    if( length > ( 1 << 20 ) * 16 )
+        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
 
     mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT, iv, t_buf.u8 );